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Remarks 

The Office Action mailed November 3, 2006 has been carefully reviewed and the 
foregoing amendment has been made in consequence thereof. 

Claims 1-25, 27-56, 58-89 and 1 19-122 are now pending in this application. Claims 1- 
118 stand rejected. Claims 26, 57, and 90-1 18 have been cancelled. Claims 1 19-122 are newly 
added. No fee calculation sheet is needed for the newly added claims. No new matter has been 
added. 

The rejection of Claims 16-18, 24, and 31 under 35 U.S.C. § 101 as being directed to 
non-statutory subject matter is respectfully traversed. 

The Office Action asserts that dependent Claims 16-18, depending from independent 
Claim 1, are directed to non-statutory subject matter because the "result of the invention is not 
considered to be concrete". Specifically, the Office Action asserts that "[b]ecause all of the 
variables used to calculate the QFD score are disclosed as being determined by people, the result 
of the invention is not considered to be concrete (i.e., it is not capable of being repeated to arrive 
at a particular result)." Applicants respectfully traverse this assertion. Applicants respectfully 
submit that the mere fact that certain variables used to calculate a score may be measured by a 
person, such as an experienced risk assessor, does not mean that the score is non-repeatable or 
that the invention fails to produce a concrete result. 

Specifically, Claim 16 recites "assessing business routines and controls to ensure 
compliance with each policy . . . and deterrnining a quality function deployment (QFD) score." 
Claim 17 recites that the QFD score is determined by multiplying "process strength rating" and 
"severity rating". The specification clearly describes how the "process strength rating" and 
"severity rating" are valued and how the QFD score is calculated. For example, the originally 
filed specification provides as follows: 

In addition, risks are prioritized. Resources used to prioritize risk may include 
functional leaders, compliance leaders, compliance experts, policy owners, a 
management team, and legal counsel. Risk prioritization is used to assess the 
compliance risk, relating the risk to processes, products and environments and 
identifying and prioritizing the highest risk(s). Prioritization of the risk(s) is 



21 



60709-00012 
PATENT 



performed by mapping a high-level risk model and compiling a list of compliance 
requirements. Next, the list of compliance requirements is prioritized and 
construction of a quality function deployment (QFD) matrix is started using 
system 10. A severity rating for non-compliance with the requirements is entered 
by a designee of the resource team listed above, and the compliance policies are 
assessed and valuated. Finally, the immediate risks are identified, construction of 
the QFD matrix is completed and the compliance risk areas are prioritized. (Para. 
0068.) 

The severity rating for non-compliance of each compliance requirement is entered 
into risk QFD matrix 1 80. The severity rating may be any known severity rating. 
In one specific embodiment, the numerical value that is entered into risk QFD 
matrix 180 is entered into a top row 182 labeled "SEVERITY." The numerical 
value is based upon the damage to reputation and/or financial scores. In the one 
specific embodiment, a value of ten signifies damage to the reputation of the 
company or financial impact affecting more than ten percent of net income. A 
value of five signifies damage to the reputation to the business or financial impact 
affecting more than five percent but less than ten percent of net income. A value 
of one means damage to the reputation to the business region or financial impact 
affecting less than five percent of net income. A value of zero denotes no damage 
to reputation or any financial impact. Alternatively, different weighting formulas 
can be used. (Para. 0075.) 

Further, the process strength of a business routines and controls is assessed to 
ensure compliance with each policy. In one specific embodiment, the assessment 
is accomplished by rating, or quantifying, the strength of the compliance routines 
and controls to ensure compliance with the policy. The process strength rating 
may be accomplished by any known rating system. In one specific embodiment, 
a score of ten means that there is no process or no level of policy awareness. A 
score of seven indicates an inconsistent process, no documentation or sporadic, ad 
hoc generic training. A score of three means that there is no enforced process, 
limited enforced process or no regular specific training. A score of zero means 
that there is no interaction or no process is necessary. This score is used to 
calculate a QFD score for quantifying the results. (Para. 0076.) 

The score is then entered into risk QFD matrix 180. Figure 13 illustrates one 
embodiment of a completed risk QFD matrix 190 including a QFD score 192. 
The QFD score 192 may be calculated by any known method. In one specific 
embodiment, server 12 is configured to calculate the QFD score as: 

severity rating x process strength rating. 

The QFD score 192 is entered for each policy compliance area 152. The QFD 
score 192 is also used for identifying the immediate risks to the business. The 
higher the QFD score 192, the more immediate the risk to the business. (Paras. 
0077-0079.) 
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Applicants therefore respectfully submit that the originally filed specification clearly 
describes how the variables "process strength rating" and "severity rating" are valued. 
Moreover, the originally filed specification clearly describes how the QFD score is calculated. 
Accordingly, Applicants respectfully submit that the claimed invention is directed to statutory 
subject matter because the present invention as claimed produces a useful, concrete, and tangible 
result. The mere fact that certain variables used to calculate a score may be measured by a 
person, such as an experienced risk assessor, does not mean that the invention as claimed 
produced a result that is not concrete. Therefore, Applicants submit that dependent Claims 16-18 
are patentable. 

The Office Action further asserts that dependent Claim 24, depending indirectly from 
independent Claim 1, is non-statutory. Specifically, the Office Action asserts that the risk 
prioritization number (RPN) is calculated using variables that are determined by people, and 
therefore, the invention as claimed fails to produce a concrete result. Applicants respectfully 
traverse this assertion. As stated above, Applicants respectfully submit that the mere fact that 
certain variables used to calculate a score may be measured by a person, such as an experienced 
risk assessor, does not mean that the score is non-repeatable or that the invention fails to produce 
a concrete result. 

The originally filed specification clearly describes that the RPN is calculated by 
multiplying "severity rating" and "occurrence rating" and "detection rating". Moreover, the 
originally filed specification clearly describes how these variables are valued. Accordingly, 
Applicants respectfully submit that the claimed invention is directed to statutory subject matter 
because the present invention as claimed produces a useful, concrete, and tangible result. The 
mere fact that certain variables used to calculate a score may be measured by a person, such as 
an experienced risk assessor, does not mean that the invention as claimed produced a result that 
is not concrete. Therefore, for the reasons set forth above, Applicants submit that dependent 
Claim 24 is patentable. 

The Office Action further asserts that Claim 31 is a mixture of two distinct statutory 
classes of invention. Applicants traverse this assertion. However, Applicants have amended 
independent Claim 31, and Applicants submit that Claim 31 is directed to an apparatus. 
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For at least the reasons set forth above, Applicants respectfully request that the Section 
101 rejection of Claims 16-18, 24, and 31 be withdrawn. 

The rejection of Claims 31-89 under 35 U.S.C. § 1 12, first paragraph, as failing to 
comply with the enablement requirement is respectfully traversed. 

The Office Action asserts that Claims 31-89 are rejected as failing to comply with the 
enablement requirement. Applicants respectfully traverse this assertion and respectfully submit 
that the originally filed specification, including the Figures, would enable one skilled in the art to 
make and/or use the invention as described in the present patent application. 

The Office Action asserts that Claims 3 1-89 fail to comply with the enablement 
requirement. More specifically, the Office Action asserts that "one of skill in the art would not 
be able to make the server do what is claimed" and that "[o]ne of skill in the art would not be 
able to figure out how to get the server to prioritize the risks because this depends on what the 
business sees as the most risky based on any known consequences that may happen if the risk 
materializes." Applicants traverse these assertions. 

Applicants respectfully submit that the originally filed specification satisfies the enable 
requirement of Section 1 12, first paragraph. More specifically, Applicants submit that one 
skilled in the art, after reading the originally filed specification and reviewing the figures, would 
understand how the server is able to prioritize compliance risks for a business, identify potential 
failure modes with causes and effects, and recommend risk monitoring and control mechanisms. 
For example, the originally filed specification provides in relevant part as follows: 

Server 12 is configured to assess compliance, prioritize risk, benchmark existing 
programs, identify improvement opportunities, and identify potential best 
practices as part of a compliance program. A user interface allows a user to 
input data relating to the identification and quantification of a company's 
compliance process and to receive identification and quantification of compliance 
output. A computer-based compliance identification and quantification tool, as 
described below in more detail, is stored in server computer 12 and can be 
accessed by a requester at any one of computers 14. (Emphasis added.) (Para. 
0048.) 

Assessment of a compliance program is used to benchmark existing programs, 
identify improvement opportunities and identify potential best practices. 
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Referring to Figure 3, a flowchart 70 for process steps executed in assessing at 
least one compliance program is shown. More specifically, server 12 (shown in 
Figures 1 and 2) is configured to facilitate steps described in Figure 3. First, a 
cross-functional team is assembled 72 to determine what constitutes compliance. 
The cross-functional team may have members from all functional areas of a 
business having knowledge of compliance policies and how they relate to their 
function area. The cross-functional team is assembled 72 using a knowledge base 
which is stored on server 12 and may include any information relevant to the 
assembly 72 of a cross-functional team. (Emphasis added.) (Para. 0056.) 

In one embodiment, server 12 is configured to use the knowledge base to 
determine what constitutes an affirmative answer to a question in the 
questionnaire. Compliance is largely dependent upon the particular 
circumstances of each business. Accordingly, the knowledge base may include, 
for example, information from compliance leaders and information relevant to 
each business and for each environment. The knowledge base may also include 
standards for minimum program qualities and the level of documentation 
required for proof in answering the question which sets a standard used as a 
guide through the interviews with process owners. (Emphasis added.) (Para. 
0058.) 

System 10 outputs 98 at least one of a completed questionnaire, a summary of 
current status, improvement opportunities, action plans and potential best 
practices, program summary and policy summary. (Para. 0061 .) 

Server 12 (shown in Figures 1 and 2) summarizes the results of the assessment of 
the compliance program by automatically converting questionnaire metrics chart 
130 (shown in Figure 7) to a compliance program assessment summary chart 
when instructed to do so by a functional or compliance leader. One embodiment 
of a compliance program assessment summary chart 140 is shown in Figure 8. 
The program assessment summary 140 includes, for example, the percent of 
compliance 132 by compliance assessment area 124, progress since the last 
review, focus areas for the next review and a comparison of criteria based on 
business risk and environment. (Emphasis added.) (Para. 0066.) 

Server 12 is further configured to respond to a request to summarize the 
assessment results of the compliance program by converting questionnaire 
metrics chart 130 (shown in Figure 7) to a policy assessment summary. One 
embodiment of a policy assessment summary chart 150 is shown in Figure 9. 
Policy assessment summary chart 150 includes, for example, the percent of 
compliance 132 by policy assessment area 152. (Emphasis added.) (Para. 0067.) 

In addition, risks are prioritized. Resources used to prioritize risk may include 
functional leaders, compliance leaders, compliance experts, policy owners, a 
management team, and legal counsel. Risk prioritization is used to assess the 
compliance risk, relating the risk to processes, products and environments and 
identifying and prioritizing the highest risk(s). Prioritization of the risk(s) is 
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performed by mapping a high-level risk model and compiling a list of compliance 
requirements. Next, the list of compliance requirements is prioritized and 
construction of a quality function deployment (QFD) matrix is started using 
system 10. A severity rating for non-compliance with the requirements is entered 
by a designee of the resource team listed above, and the compliance policies are 
assessed and valuated. Finally, the immediate risks are identified, construction of 
the QFD matrix is completed and the compliance risk areas are prioritized. 
(Emphasis added.) (Para. 0068.) 

Using the QFD matrix and the prioritized risk areas, the resource team maps a 
high level business risk model which includes the steps of identifying the business 
core processes and products such as marketing or billing and collecting, 
brainstorming the business risks associated with those core processes and 
products, and associating the business risks with the corresponding compliance 
requirements and risks.... (Emphasis added.) (Para. 0069.) 

Subsequently, a list of compliance requirements is compiled and prioritized by the 
resource team. The list of compliance requirements is compiled and prioritized by 
using and adding to database 18 stored on server 12 (shown in Figures 1 and 2). 
Database 18 includes, for example, the core compliance areas within the 
business' declared policies and procedures (referred to as the business Spirit and 
Letter), regulatory and legal requirements of the business, contractual and 
internal policy requirements, and compliance risks noted in business risk model 
160 (shown in Figure 10). As described above, the list of compliance 
requirements also is prioritized. In an exemplary embodiment, the list of 
compliance requirements is prioritized by the resource team based on the severity 
rating of non-compliance. Severity ratings are generated using stored and newly 
added knowledge base information relevant to severity. The knowledge base 
includes information relating to how a compliance expert, in a worst case 
scenario situation, would rate damage to the business reputation and/or the 
financial impact to a business. The knowledge base may be specific to individual 
business processes and products. For example, when a business reputation is 
damaged, the severity rating of non-compliance is high when it has a company 
impact, medium when it has a division impact and low when it has only a regional 
impact. The list of compliance requirements is organized in accordance with a 
severity matrix format. Accordingly, in one specific embodiment, the financial 
impact of non-compliance is rated high when there is an impact greater than ten 
percent of net income, medium when the impact is greater than five percent, but 
less than ten percent, of net income, and low when it has an impact affecting less 
than five percent of net income. Alternatively, different weighting formulas can 
be used. (Emphasis added.) (Para. 0072.) 

Applicants respectfully submit that the present invention is fully enabled by the originally 
filed specification. By way of example, Applicants have provided the above section of the 
originally filed specification as support for this enablement. However, Applicants respectfully 
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submit that they could provide numerous other sections of the originally filed specification that 
provide further support for the enablement of the present invention. 

Specifically, Applicants respectfully submit that originally filed specification clearly 
describes a knowledge base that is gathered and stored within the database. The database is 
coupled to the server. The server is configured to access and utilize the knowledge base in 
combination with additional information that is inputted into the server through a user interface 
so that the server is able to assess compliance, prioritize risk, benchmark existing programs, 
identify improvement opportunities, and identify potential best practices as part of a compliance 
program. 

Accordingly, Applicants respectfully submit that the originally filed specification, which 
includes the Figures, would enable one of ordinary skill in the art to make and/or use the 
invention. Therefore, Applicants submit that Claims 31-89 are fully enabled and patentable. 
Accordingly, Applicants respectfully request that the rejection of Claims 31-89 under Section 
112, first paragraph, be withdrawn. 

For the reasons set forth above, Applicants respectfully request that the rejection of 
Claims 3 1 -89 under Section 112, first paragraph, be withdrawn. 

The rejection of Claims 2, 5, 6, 8, 1 1, 21, 23, 26, 29, 31-62, and 70 under 35 U.S.C. § 
1 12, second paragraph, is respectfully traversed. 

Applicants respectfully submit that Claims 2, 5, 6, 8, 11, 21, 23, 26, 29, 31-62, and 70 
satisfy section 1 12, second paragraph. Specifically, Applicants respectfully submit that Claims 
2, 5, 6, 8, 1 1, 21, 23, 26, 29, 31-62, and 70 are definite and particularly point out and distinctly 
claim the subject matter of the invention. 

Claims 2, 8, 32, and 34 have been amended such that the recitation of "identifying and 
interviewing process owners for the questionnaire answers" is further defined, and Applicants 
respectfully submit that amended Claims 2, 8, 32, and 34 are definite and not contradictory. 

Based on the amendments to independent Claim 1, Applicants respectfully submit that 
amended Claim 50 is definite. 
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Claim 5 has been amended to address the Examiner's concerns. Applicants respectfully 
submit that Claim 5 is definite. 

Claim 6 has been amended to address the Examiner's concerns. Applicants respectfully 
submit that Claim 6 is definite. 

Claims 1 1 and 39 have been amended to address the Examiner's concerns. Applicants 
respectfully submit that Claims 1 1 and 39 are definite. 

Claims 21, 51, and 52 have been amended to address the Examiner's concerns, and 
Applicants respectfully submit that Claims 21,51, and 52 are definite. 

Claim 23 has been amended to address the Examiner's concerns. Applicants respectfully 
submit that Claim 23, as amended, has proper antecedent basis. 

Claims 26 and 57 have been amended to address the Examiner's concerns, and 
Applicants respectfully submit that Claims 26 and 57 are definite. 

The Examiner states in the Office Action that Claims 29 and 59 are indefinite, because 
one wishing to avoid infringement would not know what a "policy dashboard" is. Applicants 
respectfully submit that one skilled in the art would know that a dashboard, in computer 
technology, is a unified display of multiple components. In this case, a policy dashboard is a 
unified display of the actions items list. Applicants respectfully submit that Claims 29 and 59 
are definite. 

Claim 31 has been amended to address the Examiner's concerns, and Applicants 
respectfully submit that Claim 31 is definite. Claims 32-56 and 58-62 depend from independent 
Claim 31 which is submitted to be definite. When the recitations of Claims 32-56 and 58-62 are 
considered in combination with the recitations of Claim 31, Applicants submit that dependent 
Claims 32-56 and 58-62 are also definite. 

Claim 70 has been amended to address the Examiner's concerns. Applicants respectfully 
submit that Claim 70, as amended, has proper antecedent basis. 
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For at least the reasons set forth above, Applicants respectfully request that the rejection 
of Claims 2, 5, 6, 8, 1 1, 21, 23, 26, 29, 31-62, and 70 under 35 U.S.C. § 1 12, second paragraph, 
be withdrawn. 

The rejection of Claims 1-16, 18-23, 25-45, 47-53, and 55-89 under 35 U.S.C. § 103(a) as 
being unpatentable over Fetherston (U.S. Publication No. 2002/0120642) is respectfully 
traversed. 

Applicants respectfully submit that Fetherston does not describe or suggest the claimed 
invention. As discussed below, at least one of the differences between Fetherston and the 
present invention is that Fetherston does not describe or suggest a method for conducting a 
compliance risk assessment and mitigation process that includes identifying, for each compliance 
risk identified, potential compliance failure modes, potential causes and effects of such 
compliance failure modes, current controls in place, and a detection rating, wherein the detection 
rating is a value representing whether current controls in place will detect potential compliance 
failure modes. Moreover, Applicants submit that Fetherston does not describe or suggest storing 
the risks, the risk priority, the failure modes, the causes and effects of the failure modes, the 
current controls in place, and the detection ratings in the database. 

Furthermore, Applicants submit that Fetherston does not describe or suggest a method 
including calculating a risk prioritization number (RPN) for each compliance risk identified, and 
implementing risk monitoring and control mechanisms to mitigate compliance risks based on the 
calculated RPNs including recommending actions to be implemented to reduce the calculated 
RPNs. 

Fetherston describes a system for assisting an organization to implement and maintain 
compliance management programs. The system includes a plurality of modules relating to 
particular compliance obligations. Specifically, the system includes a master database 
containing information on the compliance obligations, a slave database containing information 
and activities (i.e. incidents or accidents) in the organization and assessments of the organization, 
and report generating means for generating a report on actions required to render the 
organization compliant with the obligations in the master database. More specifically, the master 
database includes input/output devices where a user may access a plurality of modules wherein 
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each module is related to a particular piece of legislation, and the module is presented to the user 
on a display device. The display device also includes a plurality of sub-modules such as text 
documents that are stored in a storage unit and memory for display on a display unit when 
selected by the user. The user may select a sub-module that displays a risk assessment form 
permitting the user to enter and store data in the slave database information about hazards in an 
organization such as an accident. The sub-module forces the user to follow a process and pattern 
of data entry into the various risk assessment forms. Once the data is entered by the user, the 
data is stored in the slave database. Fetherston also describes a risk assessment means that 
compares data in the slave database to compliance criteria from the master database. 
Specifically, the risk assessment means determines a numerical priority or risk assessment rating 
as the product of severity and frequency. A rating that exceeds a certain rating is brought to the 
attention of the user. Moreover, Fetherston describes that reports detailing particular hazards 
may be produced. 

Claim 1 recites a method for conducting a consistent, documented and yet repeatable 
compliance risk assessment and mitigation process, using a network-based system including a 
server system coupled to a centralized database and at least one client system, the method 
includes "storing in the database compliance information including at least one questionnaire 
relating to compliance, compliance requirements for each functional area within a business, and 
persons responsible for compliance within each functional area within the business . . . 
displaying a questionnaire on a client system associated with a person responsible for 
compliance with at least one functional area within the business, the questionnaire is transmitted 
from the server system to the client system of the compliance person and is generated using the 
compliance information stored within the database . . . receiving at the server a response inputted 
by the compliance person to the displayed questionnaire . . . processing the response to the 
displayed questionnaire at the server . . . prioritizing compliance risks for the business including 
identifying compliance risks for each functional area within the business, and prioritizing the 
compliance risks from high to low based on a severity rating of non-compliance . . . identifying, 
for each compliance risk identified, potential compliance failure modes potential causes and 
effects of such compliance failure modes, current controls in place, and a detection rating, 
wherein the detection rating is a value representing whether current controls in place will detect 
potential compliance failure modes . . . storing the risks, the risk priority, the failure modes the 
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causes and effects of the failure modes, the current controls in place, and the detection ratings in 
the database . . . calculating a risk prioritization number (RPN) for each compliance risk 
identified based on the data stored in the database, wherein the RPN represents a relative 
compliance risk of a particular failure mode . . . implementing risk monitoring and control 
mechanisms to mitigate compliance risks based on the calculated RPNs including recommending 
actions to be implemented to reduce the calculated RPNs" (Emphasis added.) 

Fetherston does not describe or suggest a method as recited in Claim 1 . More 
specifically, Fetherston does not describe or suggest a method for conducting a compliance risk 
assessment and mitigation process that includes identifying, for each compliance risk identified, 
potential compliance failure modes, potential causes and effects of such compliance failure 
modes, current controls in place, and a detection rating, wherein the detection rating is a value 
representing whether current controls in place will detect potential compliance failure modes. 
Moreover, Applicants submit that Fetherston does not describe or suggest storing the risks, the 
risk priority, the failure modes, the causes and effects of the failure modes, the current controls in 
place, and the detection ratings in the database. 

Furthermore, Applicants submit that Fetherston does not describe or suggest a method 
including calculating a risk prioritization number (RPN) for each compliance risk identified, and 
implementing risk monitoring and control mechanisms to mitigate compliance risks based on the 
calculated RPNs including recommending actions to be implemented to reduce the calculated 
RPNs. 

Rather, Fetherston describes a system for assisting an organization to implement and 
maintain compliance management programs wherein the system includes a master database 
containing information on the compliance obligations, a slave database containing information 
and activities (i.e. incidents or accidents) in the organization and assessments of the organization, 
and report generating means for generating a report on actions required to render the 
organization compliant with the obligations in the master database. Fetherston does not describe 
or suggest a method for conducting a compliance risk assessment and mitigation process a 
recited in Claim 1 . For example, Fetherston does not describe or suggest a method for 
conducting a compliance risk assessment and mitigation process that includes identifying, for 



31 



60709-00012 
PATENT 

each compliance risk identified, potential compliance failure modes, potential causes and effects 
of such compliance failure modes, current controls in place, and a detection rating, wherein the 
detection rating is a value representing whether current controls in place will detect potential 
compliance failure modes. 

In fact, the Office Action acknowledges at page 12 that "not specifically disclosed is the 
step of identifying failure modes with the causes and effects of the compliance failure modes 
along with the storing of this data in the database." Fetherston fails to teach the step of 
identifying, for each compliance risk identified, potential compliance failure modes, potential 
causes and effects of such compliance failure modes, current controls in place, and a detection 
rating, wherein the detection rating is a value representing whether current controls in place will 
detect potential compliance failure modes. Moreover, Applicants traverse the assertion that "one 
of ordinary skill in the art would have been motivated to do what is claimed." There is no 
motivation disclosed to identify potential compliance failure modes, causes and effects, current 
controls in place, and a detection rating. Applicants submit that one of ordinary skill in the art 
would not have been motivated to identify the current controls in place and the detection rating. 

Moreover, Fetherston does not describe or suggest a method for conducting a compliance 
risk assessment and mitigation process that includes storing the risks, the risk priority, the failure 
modes, the causes and effects of the failure modes, the current controls in place, and the 
detection ratings in the database. The Office Action acknowledges that Fetherston does not 
specifically disclose storing the data in the database. However, the Office Action at page 13 
asserts that "one of ordinary skill in the art at the time the invention was made would have been 
motivated to save all of the compliance data in the database to ensure that there is a transparent 
audit trail . . .". Applicants traverse the assertion that one of ordinary skill in the art would have 
been motivated to save all of the compliance data. There is no motivation to save all of the 
compliance data. Specifically, there is no motivation to store the current controls in place and 
the detection rating in the database. 

Accordingly, for at least the reasons set forth above, Applicants respectfully submit that 
Claim 1 is patentable over Fetherston, and Applicants respectfully request that the 35 U.S.C. § 
103 rejection of Claim 1 be withdrawn. 
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Claim 2-25 and 27-30 depend from independent Claim 1 which is submitted to be in 
condition for allowance. When the recitations of Claims 2-25 and 27-30 are considered in 
combination with the recitations of Claim 1, Applicants submit that dependent Claims 2-25 and 
27-30 are also patentable over Fetherston. 

Claim 31 recites a system for identifying and quantifying compliance that includes at 
least one computer, a database for storing compliance information including at least one 
questionnaire relating to compliance, compliance requirements for each functional area within a 
business, and persons responsible for compliance within each functional area within the business, 
and a server configured to assemble a cross functional team, identify and interview for 
compliance, compile interview results and summarize the results of the assessment of at least one 
compliance program, and a network connecting the computer to the server, wherein the server is 
configured to "display a questionnaire on said computer associated with a person responsible for 
compliance with at least one functional area within the business, the network is configured to 
transmit the questionnaire from said server to said computer of the compliance person and is 
generated using the compliance information stored within the database. . .receive a response 
inputted by the compliance person to the displayed questionnaire. . .process the response to the 
displayed questionnaire. . .prioritize compliance risks for the business including identifying 
compliance risks for each functional area within the business, and prioritizing the compliance 
risks from high to low based on a severity rating of non-compliance. . .identify, for each 
compliance risk identified, potential compliance failure modes, potential causes and effects of 
such compliance failure modes, current controls in place, and a detection rating, wherein the 
detection rating is a value representing whether current controls in place will detect potential 
compliance failure modes . . store the risks, the risk priority, the failure modes, the causes and 
effects of the failure modes, the current controls in place, and the detection ratings in the 
database . . . calculate a risk prioritization number (RPN) for each compliance risk identified 
based on the data stored in the database, wherein the RPN represents a relative compliance risk 
of a particular failure mode . . . recommend risk monitoring and control mechanisms to mitigate 
compliance risks based on the calculated RPNs including recommending actions to be 
implemented to reduce the calculated RPNs." (Emphasis added.) 
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Claim 31, as herein amended, recites a system for identifying and quantifying compliance 
that includes a server configured to perform steps essentially similar to those recited in Claim 1 . 
Thus, it is submitted that Claim 31 is patentable over Fetherston for reasons that correspond to 
those given with respect to Claim 1 . 

For at least the reasons as set forth above, Applicants respectfully request that the 35 
U.S.C. § 103 rejection of Claim 31 be withdrawn. 

Claims 32-56 and 58-62 depend from independent Claim 31 which is submitted to be in 
condition for allowance. When the recitations of Claims 32-56 and 58-62 are considered in 
combination with the recitations of Claim 31, Applicants submit that dependent Claims 32-56 
and 58-62 are also patentable over Fetherston. 

Claim 63 recites a computer programmed to "store in a database compliance information 
including at least one questionnaire relating to compliance, compliance requirements for each 
functional area within a business, and persons responsible for compliance within each functional 
area within the business. . .display a questionnaire for a person responsible for compliance with at 
least one functional area within the business, the questionnaire is generated using the compliance 
information stored within the database, displaying the questionnaire includes assembling a cross 
functional team to conduct the compliance risk assessment . . .receive a response inputted by the 
compliance person to the displayed questionnaire. . .process the response to the displayed 
questionnaire. . .prioritize compliance risks for the business including identifying compliance 
risks for each functional area within the business, and prioritizing the compliance risks from high 
to low based on a severity rating of non-compliance. . . identify, for each compliance risk 
identified, potential compliance failure modes, potential causes and effects of such compliance 
failure modes, current controls in place, and a detection rating, wherein the detection rating is a 
value representing whether current controls in place will detect potential compliance failure 
modes . . . store the risks, the risk priority, the failure modes, the causes and effects of the failure 
modes, the current controls in place, and the detection ratings in the database . . . calculate a risk 
prioritization number (RPN) for each compliance risk identified based on the data stored in the 
database, wherein the RPN represents a relative compliance risk of a particular failure mode . . . 
recommend risk monitoring and control mechanisms to mitigate compliance risks based on the 
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calculated RPNs including recommending actions to be implemented to reduce the calculated 
RPNs." (Emphasis added.) 

Claim 63, as herein amended, recites a computer programmed to perform steps 
essentially similar to the steps recited in Claim 1. Thus, it is submitted that Claim 63 is 
patentable over Fetherston for reasons that correspond to those given with respect to Claim 1 . 

For at least the reasons as set forth above, Applicants respectfully request that the 35 
U.S.C. § 103 rejection of Claim 63 be withdrawn. 

Claims 64-75 depend from independent Claim 63 which is submitted to be in condition 
for allowance. When the recitations of Claims 64-75 are considered in combination with the 
recitations of Claim 63, Applicants submit that dependent Claims 64-75 are also patentable over 
Fetherston. 

Claim 76 recites a computer program embodied on a computer readable medium for 
managing compliance risk assessment to enable businesses to develop broader and deeper 
coverage of compliance risks, using a network based system including a server system coupled 
to a centralized database and at least one client system, the computer program includes a code 
segment that "stores in the database compliance information including at least one questionnaire 
relating to compliance, compliance requirements for each functional area within a business, and 
persons responsible for compliance within each functional area within the business. . .displays a 
questionnaire on a client system associated with a person responsible for compliance with at least 
one functional area within the business, the questionnaire is transmitted from the server system 
to the client system of the compliance person and is generated using the compliance information 
stored within the database, displaying the questionnaire includes assembling a cross functional 
team to conduct the compliance risk assessment . . .receives a response inputted by the 
compliance person to the displayed questionnaire. . .processes the response to the displayed 
questionnaire at the server. . .prioritizes compliance risks for the business including identifying 
compliance risks for each functional area within the business, and prioritizing the compliance 
risks from high to low based on a severity rating of non-compliance. . . identifies, for each 
compliance risk identified, potential compliance failure modes, potential causes and effects of 
such compliance failure modes, current controls in place, and a detection rating, wherein the 
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detection rating is a value representing whether current controls in place will detect potential 
compliance failure modes . . . stores the risks, the risk priority, the failure modes, the causes and 
effects of the failure modes, the current controls in place, and the detection ratings in the 
database . . . calculates a risk prioritization number (RPN) for each compliance risk identified 
based on the data stored in the database, wherein the RPN represents a relative compliance risk 
of a particular failure mode . . . recommends risk monitoring and control mechanisms to mitigate 
compliance risks based on the calculated RPNs including recommending actions to be 
implemented to reduce the calculated RPNs." (Emphasis added.) 

Claim 76 recites a computer program embodied on a computer readable medium that 
includes a code segment programmed to perform steps essentially similar to those recited in 
Claim 1 . Thus, it is submitted that Claim 76 is patentable over Fetherston for reasons that 
correspond to those given with respect to Claim 1 . 

For at least the reasons as set forth above, Applicants respectfully request that the 35 
U.S.C. § 103 rejection of Claim 76 be withdrawn. 

Claims 77-89 depend from independent Claim 76 which is submitted to be in condition 
for allowance. When the recitations of Claims 77-89 are considered in combination with the 
recitations of Claim 76, Applicants submit that dependent Claims 77-89 are also patentable over 
Fetherston. 

For at least the reasons set forth above, Applicants respectfully request that the Section 
103 rejection of Claims 1-16, 18-23, 25-45, 47-53, and 55-89 be withdrawn. 

In addition to the arguments set forth above, Applicant respectfully submits that the 
Section 103 rejection of Claims 1-16, 18-23, 25-45, 47-53, and 55-89 is not a proper rejection. 
Obviousness cannot be established by merely suggesting that it would have been obvious to one 
of ordinary skill in the art to modify Fetherston. More specifically, as is well established, 
obviousness cannot be established by combining the teachings of the cited art to produce the 
claimed invention, absent some teaching, suggestion, or incentive supporting the combinations. 
It is impermissible to use the claimed invention as an instruction manual or "template" to piece 
together the teachings of the prior art so that the claimed invention is rendered obvious. 
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Specifically, one cannot use hindsight reconstruction to pick and choose among isolated 
disclosures in the prior art to deprecate the claimed invention. Further, it is impermissible to 
pick and choose from any one reference only so much of it as will support a given position, to 
the exclusion of other parts necessary to the full appreciation of what such reference fairly 
suggests to one of ordinary skill in the art. 

For at least the reasons set forth above, Applicants respectfully request that the Section 
103 rejection of Claims 1-16, 18-23, 25-45, 47-53, and 55-89 be withdrawn. 

New Claim 1 19 is a dependent claim depending from independent Claim 1 . For the same 
reasons Claim 1 is allowable, so is new Claim 119. 

New Claim 1 20 is a dependent claim depending from independent Claim 31. For the 
same reasons Claim 31 is allowable, so is new Claim 120. 

New Claim 121 is a dependent claim depending from independent Claim 63. For the 
same reasons Claim 63 is allowable, so is new Claim 121 . 

New Claim 122 is a dependent claim depending from independent Claim 76. For the 
same reasons Claim 76 is allowable, so is new Claim 122. 

In view of the foregoing amendments and remarks, all the claims now active in this 
application are believed to be in condition for allowance. Reconsideration and favorable action 
is respectfully solicited. 



Respectfully Submitted, 




Daniel M. Fitzgerald 
Registration No. 38,880 
ARMSTRONG TEASDALE LLP 
One Metropolitan Square, Suite 2600 
St. Louis, Missouri 63102-2740 
(314)621-5070 
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